Show by Label

Thursday, March 17, 2016

(2)Installing and Configuring the OpenVPN package

This is a follow-up and continuation on the first post in this series, "how-To: Un-geoblock Netflix and cast movies from a tablet to a TV

9.b Installing and Configuring the OpenVPN package

Time to install the OpenVPN package.

sudo apt-get install openvpn

At this point I’m going to show you how to use a commercial VPN service provider and setup an OpenVPN connection to a location in a country of your choice. I’m going to do this later when I will connect to my own router and network, and setup everything by myselves, but there is a lot we can learn from this process.

If you don’t have a VPN service already lined-up, or don’t want to sign-up for one, just read the following two chapters for background and to learn.

When I searched for a VPN service provider myself, I had several selection criteria. After researching several candidates, I selected HideMyAss! ( or HMA! in short, for a number of reasons. 

Their name is not one of them though. Butt(!) in case you didn’t know, an ass is a hoofed mammal of the horse family with a braying call, typically smaller than a horse and with longer ears. It can also mean a foolish or stupid person. Lastly, it is a common description for the body part you sit on. HMA! uses the hoofed version as their company mascot.

A couple of keys factors in my selection criteria was that they are an English company and therefore more outside the fangs of the US NSA. They also have multiple servers in the countries of interest to me. They have good chat support and are very up-front with how they work, what data they store from you etc. Lastly they accept Paypal so you don’t need to send them credit card information.

For my initial Netflix viewing of the content in my home country while on vacation in another one, I used them until they got in the cross-hairs from the Netflix geo-police which disabled this geo-unblocking method for me. 

That caused me to investigate other means and led to these posts.

10.Installing the HideMyAss VPN Service

My assumption is that you already have a subscription with HMA!, or you can go to their website and sign on. You can do this for a one month period ($11,52 incl. VAT) if you want to try them out. 

If you have plans to go down that route, I suggest you get a one month trial subscription with HMA!. It will be money well spent in the learning process, and even if you decide later to use another VPN supplier, you will know a lot more to get a VPN to work in your environment.

Like most of their colleagues’, HMA! support several VPN protocols, one of them is OpenVPN, although that is not well publicized on the website. In any case, as you can see on their website, they have clients for just about every OS flavor or device. Linux is one of them although again I don’t think that it is prominently  “advertised” on the main website.

Go here to get a selection of installation instructions for the OS’s they support.
Select Linux from the list. After some searching, I eventually came to this page:

Unfortunately, downloading the zip file to my PC, unzipping and then cutting & pasting the script to the Pi caused a weird script execution error that I couldn’t fix quickly. Embedded in the script however is a link that I used to download the script file directly on my Pi.

To get the script, run this from within your home directory (/home/pi), and as user pi:

makedir hma
cd hma
curl -s -k >
chmod +x

This is a complete installation script that will install the required packages on your Pi, setup the environment for OpenVPN and start a VPN connection to a server in a country/city you select.

The required packages that will be installed if they are not on your system yet, are dialog and fping
Dialog displays nice looking dialog boxes with scrollbars etc. from shell scripts. Dialog is a package like whiptail. Fping is like ping, but differs because you can feed it a list of IP addresses to ping. It sends a ping to every IP address on the list and then moves on to the next. The script uses that feature to find the fastest servers by doing a latency test.

Before you start to run the script, I suggest you edit two places to fix a display issue caused by dialog. The script tries to display nice dialog boxes with the graphic characters for double lines, but on my Pi, running it headless, it reverts to incorrect ascii characters and that messes up the display. To fix that, open the file for editing:


Find the two instances where dialog is called (in line 279 and 306). In those two places, you need to add one more option to the dialog command line. (--ascii-lines)

You can do that as follows by changing the second line around line 279 from this:

dialog --backtitle "HMA! OpenVPN Script" \
--title "Select a server" \
--menu "Select a server" 17 90 15 $LINES 2>/tmp/server

into this:

dialog --backtitle "HMA! OpenVPN Script" \
--ascii-lines --title "Select a server" \
--menu "Select a server" 17 90 15 $LINES 2>/tmp/server

And this around line 306:

dialog --backtitle "HMA! OpenVPN Script" \
--title "Select OpenVPN protocol to use" \
--yes-label "UDP" --no-label "TCP" --yesno "Which protocol do you want to use?" 6 40

Into this:

dialog --backtitle "HMA! OpenVPN Script" \
--ascii-lines  --title "Select OpenVPN protocol to use" \
--yes-label "UDP" --no-label "TCP" --yesno "Which protocol do you want to use?" 6 40

Save the file and exit the editor.

Run the script and let it install the two needed packages.

sudo ./

Let it run, and from the dialog box, select a country and city. You can type the first letter from a country to jump there. I had to do that twice to get to the full selection of cities in my home country, the Netherlands (NL). After you selected the server you wanted, you get asked which protocol you want. Select UDP, because that is what we will be using later ourselves too.

If packages are missing from your installation, it will tell you and ask permission to install them.
Eventually you get to a fresh screen with the HMA! Logo, and the scripts now downloads your personalized OpenVPN setup file from the server. We’ll get to that when we will start to build our own setup files. The script also displays the current public IP address of the router and it starts to build the connection to the server in the city/country you selected.

For security and authorization, it also wants your HMA! account username and password to log you in.
It then shows a lot of details about the building of the connection, and after showing this:

Initialization Sequence Completed

It waits…because it is running in the foreground.

Look at the screen and try to interpret what is has done.

Basically, in a nut-shell, it has installed a tunnel interface from the Pi to the selected HMA! server by establishing a TUN/TAP device called a tun0 interface. It also created a connection from the IP address of the server to a sub-net on the Pi. 

This is a snippet from that portion:

/sbin/ip addr add dev tun0 broadcast
/sbin/ip route add via
/sbin/ip route add via
/sbin/ip route add via

Line 1: added a tun0 interface with IP with mask /22 ( to broadcast at the end of the sub-net
Line 2: Added a route from the IP address of the HMA! server to the eth0 gateway of the Pi
Line 3 & 4: some juggling to setup the client with a subnet address of

A Ctrl-c will abort the script and terminate the connection. 

OK, we know it works this far. Now we need to make it “really” work so we can fit this in with our wireless access point.

11.Testing OpenVPN with HideMyAss

As you have seen, the HMA! script sets up a tunnel from one of their servers to the tun0 interface at the Pi end, but there is no connection from there to anywhere else yet. It dead-ends at the Pi at the moment.

Earlier, to make the access point work, we used iptables to create a link from the wlan0 interface to the eth0 interface to allow connected clients access to the internet. We now need to do the same, but instead of linking to the internet where we currently are, we want to link through the tunnel to access the internet in the country we want to be.

This is simply a matter of using the previous iptables rules, but replacing all references from eth0 to the tunnel interface tun0.

To do that, we first flush all the current rules in the iptables memory.

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X

Now install the new iptables with the tun0 interface instead of the eth0 interface. Remember that the second line is one line, without a break.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

And save them into the rules file so they get loaded at the next (re)boot.

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

Let’s try that out completely.  The new iptables are already installed at the moment, so there is no need for a reboot yet.

Go to your iPAD or any other wireless device, and connect the wireless interface to the local access point of the Pi. Open Safari or any other browser and go to the website. It will show you the local public IP address of the router, in the country you are in at the moment. The website also shows you a little map with the geo-location of the server you are currently connecting to, and from there to the internet cloud.

Keep your fingers crossed and start the HMA! setup program, but now run it as a daemon ( with the –d) option:

sudo ./ –d

Select a server in your “want to be in” country and city, enter your account name and password to get access to the HMA! server.

When the setup has finished, you will get the Pi prompt back again.

Now go back to your iPAD and update or refresh the website.

If all went well, it should now show you the IP address of the server in your “want to be in” country and city and show that geo-location on the little map. Yeah!

The HMA! tunnel connection protects you from man-in-the-middle (MitM) attacks, which are today’s robbers and thieves out of the medieval forests, because the data is encrypted. It also provides a safe connection method from the Pi to the HMA! servers by using certificates and keys in the authentication process.

With the tunnel I am going to build to my router at home, I will also add protection to the local server/router for denial of service (DoS) attacks. 

More about that in the next post, although the final ones will take a few weeks. I need to get home first. In the meantime, I’m going to enjoy the nice weather while I’m still here.

Stay tuned!

No comments:

Post a Comment